Security researcher Patrick Wardle looked closely at how to remotely target macOS users using document handlers and custom URL schemes behind the "Do you want to allow" popup in the screenshot above It is.

Sylvania Home Kit Light Strip

In macOS, applications can "advertise" that they can support (or "process") various document types and custom URL schemes. Considering it as an application, "When the user tries to open a document of type foo Or bar all right! "

You certainly encountered this with macOS. For example, if you double-click a .pdf Document Preview.app It is launched to process the document. In the browser, when you click the link to the application on the Mac App Store, App Store.app It is invoked to handle that request.

Wardle will drill down deeply how these schemes are set from a development perspective and then consider how to target Mac users remotely using custom URL schemes.

Since Apple permits automatic downloading and decompression of "safe" files, users access malicious websites and .zip files are automatically downloaded. This zip contains the malicious application in question. From there a custom URL scheme is created:

When the target accesses Google's malicious website, downloading of the archive is started (.zipIt is stored in the file. When using Mac users SafariAchievement Automatically Apple thinks it is prudent to open a "safe" file automatically, so it is unpacked. This fact is most important because it means that a malicious application (compressed zip archive only) exists on the user's file system.